GHSA-gv3v-92v6-m48j

Source

https://github.com/advisories/GHSA-gv3v-92v6-m48j

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/04/GHSA-gv3v-92v6-m48j/GHSA-gv3v-92v6-m48j.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-gv3v-92v6-m48j

Aliases

CVE-2020-7622
SNYK-JAVA-IOJOOBY-564249

Published

2020-04-03T15:23:30Z

Modified

2023-11-08T04:04:01.043687Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Improper Neutralization of CRLF Sequences in HTTP Headers in Jooby ('HTTP Response Splitting)

Details

Impact

Cross Site Scripting
Cache Poisoning
Page Hijacking

Patches

This was fixed in version 2.2.1.

Workarounds

If you are unable to update, ensure that user supplied data isn't able to flow to HTTP headers. If it does, pre-sanitize for CRLF characters.

References

CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')

I've been poking at libraries to see if they are vulnerable to HTTP Response Splitting and Jooby is my third case of finding this vulnerability.

Root Cause

This roots cause back to this line in the Jooby codebase:

https://github.com/jooby-project/jooby/blob/93cfc80aa20c188f71a442ea7a1827da380e1c27/modules/jooby-netty/src/main/java/io/jooby/internal/netty/NettyContext.java#L102

The DefaultHttpHeaders takes a parameter validate which, when true (as it is for the no-arg constructor) validates that the header isn't being abused to do HTTP Response Splitting.

Reported By

This vulnerability was reported by @JLLeitschuh (Twitter)

For more information

If you have any questions or comments about this advisory: * Open an issue in jooby-project/jooby

Database specific

{
    "nvd_published_at": "2020-04-06T15:15:00Z",
    "github_reviewed_at": "2020-04-02T23:59:56Z",
    "severity": "CRITICAL",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-444"
    ]
}

References

Affected packages

Maven / io.jooby:jooby-netty

Package

Name: io.jooby:jooby-netty; View open source insights on deps.dev
Purl: pkg:maven/io.jooby/jooby-netty

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.2.1

Affected versions

2.*

2.0.0.M1

2.0.0.M2

2.0.0.M3

2.0.0.RC1

2.0.0.RC2

2.0.0.RC3

2.0.0

2.0.1

2.0.2

2.0.3

2.0.4

2.0.5

2.0.6

2.1.0

2.2.0